File name: | Chew7.exe |
Full analysis: | https://app.any.run/tasks/633c7f35-22ac-4433-8808-62049be1fa75 |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 05:53:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 7B232997942B2A5C7E4DBE931BB4C67C |
SHA1: | 06C6D3B5B66585F03BAB25C774BAADB575CB1515 |
SHA256: | 0A88FAA27484C7C163BC90FBF806A9DAB84226C2F60F3410695278EE76D065F5 |
SSDEEP: | 98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (43.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (16.2) |
.exe | | | UPX compressed Win32 Executable (15.9) |
.exe | | | Win32 EXE Yoda's Crypter (15.6) |
.dll | | | Win32 Dynamic Link Library (generic) (3.8) |
AssemblyVersion: | 0.0.0.0 |
---|---|
ProductVersion: | 1.1.0.0 |
ProductName: | Chew7 v1.1 |
OriginalFileName: | Chew7.exe |
LegalCopyright: | © Chew7. All rights reserved. |
InternalName: | Chew7.exe |
FileVersion: | 0.6.8.4 |
FileDescription: | The Science of Activation |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.1.0.0 |
FileVersionNumber: | 0.6.8.4 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x47c7fe |
UninitializedDataSize: | - |
InitializedDataSize: | 108032 |
CodeSize: | 4696576 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2010:08:01 23:59:57+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3324 | "C:\Users\admin\Downloads\Chew7.exe" | C:\Users\admin\Downloads\Chew7.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: The Science of Activation Exit code: 3221226540 Version: 0.6.8.4 | ||||
3760 | "C:\Users\admin\Downloads\Chew7.exe" | C:\Users\admin\Downloads\Chew7.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: The Science of Activation Version: 0.6.8.4 | ||||
2684 | "C:\Windows\System32\taskkill.exe" /f /im cmd.exe | C:\Windows\System32\taskkill.exe | — | Chew7.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3040 | "C:\Windows\System32\taskkill.exe" /f /im hale.exe | C:\Windows\System32\taskkill.exe | — | Chew7.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2580 | "C:\Windows\system32\hale.exe" | C:\Windows\system32\hale.exe | Chew7.exe | |
User: admin Integrity Level: HIGH | ||||
3692 | cmd /c ""C:\Users\admin\AppData\Local\Temp\3121.tmp\hale.cmd" " | C:\Windows\system32\cmd.exe | — | hale.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2620 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2748 | FIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2972 | REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3888 | C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (3760) Chew7.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3760) Chew7.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2580) hale.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2580) hale.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 |
Operation: | write | Name: | |
Value: | |||
(PID) Process: | — | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 |
Operation: | write | Name: | LastAttempt |
Value: install |
PID | Process | Filename | Type | |
---|---|---|---|---|
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\plat.cmd | text | |
MD5:18E656CB3DD56AF78AC3C58C7018145A | SHA256:A18F490DFE451F8C14EAF07951292CC45318073DDBAC65B18831668F48D811B2 | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\mtmp.cmd | text | |
MD5:02D7EBAD35B5624A751243D101A540CE | SHA256:7686C1B97D3F80D042AAC35D82B5E5B558A494AE3E0E35DE81A47C413D9020AC | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\postw.cmd | text | |
MD5:C794EC73494F3AEC4067E8BDC954B53F | SHA256:F646BCC720792EEF578FA4F6298A272FD43EC49CAD664D1D06F963B812D9F589 | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\intv.cmd | text | |
MD5:3AB983628DA0FD9F8AFD497D07F33D76 | SHA256:97754BA105CD61128EBEF8AAB5272F669A72B64F44B6D861C8D507C088410A27 | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\pendx.cmd | text | |
MD5:3AF31A071967EC43A0AC6E3605FF1D8C | SHA256:A0197323DA44005AEC9726CABAEE9F1027FA07EB5367F3FCEAAD05E3728C0324 | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\hash.cmd | text | |
MD5:467B51F35949C5A3F722BA736CE920E4 | SHA256:6C28FA6BF656B77085B464485FD085D4D6EEB7E3A0FF2DFF690DC813B492580C | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\hale.cmd | text | |
MD5:6CE66570BFAB35A20D280D9833049E97 | SHA256:C755237B5C58134FF21520F7D2D401E5C9AD40D05DC76FE317FFD238ECAFECF2 | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\tick.cmd | text | |
MD5:D32C42E48DDEE14FDDD78BAE6866CFC2 | SHA256:7BA5AF7F29496E9C5EB780CD484623ECAF0443299EA9693261516DFB60401266 | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\plog.cmd | text | |
MD5:D638644C3BB80F1E98AE06FA85680EB1 | SHA256:E8A990623424631496704087D29F05300BC5EFABB47C94FFE7F6BD46D803B587 | |||
2580 | hale.exe | C:\Users\admin\AppData\Local\Temp\3121.tmp\lhed.cmd | text | |
MD5:34670DB25D9AFD4F3912F77F2E5C7D08 | SHA256:A4761B5A5F5E6542867BA1CAA87676410B7AEDCCD762826359046167771659FF |